-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed READ_ACTIONS required by TermsAggregationEvaluator #4582
Conversation
The READ_ACTIONS array is passed by TermsAggregationEvaluator to securityRoles.getAllPermittedIndicesForDashboards() which checks whether privileges are available for all actions specified in READ_ACTIONS. READ_ACTIONS also contained the string "indices:data/read/field_caps*", which is actually wrong, because it is not an action but looks like pattern. However, the code behind securityRoles.getAllPermittedIndicesForDashboards() will never treat these strings as patterns. The "*" is only considered a normal, bare character. Patterns (via WildcardMatcher class) will be only applied to these strings. This had the effect that a bare privilege "indices:data/read/field_caps" was not sufficient to fulfill the requirement. It was necessary to have either "indices:data/read/field_caps*" in ones roles.yml or something broader like "indices:data/read/*". The latter is the most likely case, which is the reason why in most cases this gets unnoticed. Signed-off-by: Nils Bandener <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @nibix for addressing this! is there a way this can be tested to ensure that *
is a bare character here and would not expand?
src/main/java/org/opensearch/security/privileges/TermsAggregationEvaluator.java
Show resolved
Hide resolved
This is quite easy to verify by a simple manual static code analysis. This is the call path: security/src/main/java/org/opensearch/security/privileges/TermsAggregationEvaluator.java Lines 89 to 95 in 26a4c0b
This shows that the |
sure |
Signed-off-by: Nils Bandener <[email protected]>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #4582 +/- ##
==========================================
- Coverage 65.28% 65.25% -0.04%
==========================================
Files 317 317
Lines 22272 22272
Branches 3582 3582
==========================================
- Hits 14541 14534 -7
- Misses 5939 5946 +7
Partials 1792 1792
|
@cwperks @DarshitChanpura is there anything still missing that blocks this? |
It needs one more approval. @DarshitChanpura @peternied @scrawfor99 @willyborankin @reta @RyanL1997 Can one of you take a look? |
Signed-off-by: Nils Bandener <[email protected]> (cherry picked from commit c5ebb99) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
The READ_ACTIONS array is passed by TermsAggregationEvaluator to securityRoles.getAllPermittedIndicesForDashboards() which checks whether privileges are available for all actions specified in READ_ACTIONS. READ_ACTIONS also contained the string "indices:data/read/field_caps*", which is actually wrong, because it is not an action but looks like pattern. However, the code behind securityRoles.getAllPermittedIndicesForDashboards() will never treat these strings as patterns. The "*" is only considered a normal, bare character. Patterns (via WildcardMatcher class) will be only applied to these strings.
This had the effect that a bare privilege "indices:data/read/field_caps" was not sufficient to fulfill the requirement. It was necessary to have either "indices:data/read/field_caps*" in ones roles.yml or something broader like "indices:data/read/*". The latter is the most likely case, which is the reason why in most cases this gets unnoticed.
Observed while working on #3870 and decoupled from #4380.
Description
[Describe what this change achieves]
Issues Resolved
Contributes to #3870
Testing
Integration testing via existing tests
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.